High severity8.8NVD Advisory· Published Feb 13, 2025· Updated Apr 15, 2026
CVE-2025-26511
CVE-2025-26511
Description
Systems running the Instaclustr fork of Stratio's Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 and 4.1.2-1.0.0 through 4.1.8-1.0.0, installed into Apache Cassandra version 4.x, are susceptible to a vulnerability which when successfully exploited could allow authenticated Cassandra users to remotely bypass RBAC and escalate their privileges.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.instaclustr:cassandra-lucene-index-pluginMaven | >= 4.0-rc1-1.0.0, < 4.0.17-1.0.0 | 4.0.17-1.0.0 |
com.instaclustr:cassandra-lucene-index-pluginMaven | >= 4.1.0-1.0.0, < 4.1.8-1.0.1 | 4.1.8-1.0.1 |
Patches
244ab4b639c93Update to Apache Cassandra 4.0.17
1 file changed · +2 −0
plugin/src/main/scala/com/stratio/cassandra/lucene/IndexQueryHandler.scala+2 −0 modified@@ -97,6 +97,8 @@ class IndexQueryHandler extends QueryHandler with Logging { options: QueryOptions, queryStartNanoTime: Long): ResultMessage = { + statement.authorize(state.getClientState); + statement.validate(state.getClientState); // Intercept Lucene index searches statement match { case select: SelectStatement =>
94380b165bd3Update scala bridge, update IndexQueryHandler logic
2 files changed · +4 −1
plugin/pom.xml+1 −1 modified@@ -42,7 +42,7 @@ <version.findbugs>3.0.1</version.findbugs> <version.jdeb>1.8</version.jdeb> <version.rpm>1.5.0</version.rpm> - <version.scala.maven.plugin>4.4.0</version.scala.maven.plugin> + <version.scala.maven.plugin>4.9.2</version.scala.maven.plugin> <version.scala>2.13.1</version.scala> <outputDirectory>${project.build.directory}</outputDirectory> <maintainer>smiklosovic at apache dot org</maintainer>
plugin/src/main/scala/com/stratio/cassandra/lucene/IndexQueryHandler.scala+3 −0 modified@@ -98,6 +98,9 @@ class IndexQueryHandler extends QueryHandler with Logging { options: QueryOptions, requestTime: Dispatcher.RequestTime): ResultMessage = { + statement.authorize(state.getClientState); + statement.validate(state.getClientState); + options.prepare(statement.getBindVariables) if (statement.getBindVariables.size != options.getValues.size) throw new InvalidRequestException("Invalid amount of bind variables") if (!state.getClientState.isInternal) QueryProcessor.metrics.regularStatementsExecuted.inc()
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-mrqp-q7vx-v2cxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-26511ghsaADVISORY
- github.com/instaclustr/cassandra-lucene-index/commit/44ab4b639c9354a6335f40b1cf6178c745c6e101nvdWEB
- github.com/instaclustr/cassandra-lucene-index/commit/94380b165bd3e597d3e22e47f8cc674ec7c7bf7fghsaWEB
- github.com/instaclustr/cassandra-lucene-index/security/advisories/GHSA-mrqp-q7vx-v2cxnvdWEB
News mentions
0No linked articles in our index yet.